From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-announce+bounces-1740-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
by finch.gentoo.org (Postfix) with ESMTP id 7D7001389E2
for <garchives@archives.gentoo.org>; Fri, 26 Dec 2014 18:38:23 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id C98E5E0BCE;
Fri, 26 Dec 2014 18:37:40 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 6FE68E0B43
for <gentoo-announce@lists.gentoo.org>; Fri, 26 Dec 2014 18:37:11 +0000 (UTC)
Received: from Elminster.local (pool-96-250-9-254.nycmny.fios.verizon.net [96.250.9.254])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
(Authenticated sender: blueknight)
by smtp.gentoo.org (Postfix) with ESMTPSA id 79F8C340042
for <gentoo-announce@gentoo.org>; Fri, 26 Dec 2014 18:37:10 +0000 (UTC)
Message-ID: <549DAAD4.7060507@gentoo.org>
Date: Fri, 26 Dec 2014 13:37:08 -0500
From: Yury German <blueknight@gentoo.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
Precedence: bulk
List-Post: <mailto:gentoo-announce@lists.gentoo.org>
List-Help: <mailto:gentoo-announce+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-announce+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-announce@gentoo.org
Subject: [gentoo-announce] [ GLSA 201412-43 ] MuPDF: User-assisted execution of arbitrary code
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="tjPLlWMbuK6K8Lsea2wsBj6RGHsa7sl9M"
X-Archives-Salt: 8dd96dab-de94-471f-b160-a02119066431
X-Archives-Hash: b6d913dd2cc55373cfa45b636799e737
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--tjPLlWMbuK6K8Lsea2wsBj6RGHsa7sl9M
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-43
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MuPDF: User-assisted execution of arbitrary code
Date: December 26, 2014
Bugs: #358029, #498876
ID: 201412-43
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D
Multiple vulnerabilities have been found in MuPDF, possibly resulting
in remote code execution or Denial of Service.
Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
MuPDF is a lightweight PDF viewer and toolkit written in portable C.
Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/mupdf < 1.3_p20140118 >=3D 1.3_p20140118
Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Multiple vulnerabilities have been discovered in MuPDF. Please review
the CVE identifier and Secunia Research referenced below for details.
Impact
=3D=3D=3D=3D=3D=3D
A remote attacker could entice a user to open a specially crafted PDF
using MuPDF, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
There is no known workaround at this time.
Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All MuPDF users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=3Dapp-text/mupdf-1.3_p20140118"
References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[ 1 ] CVE-2014-2013
http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2014-2013
[ 2 ] Secunia Research: MuPDF Two Integer Overflow Vulnerabilities
http://secunia.com/secunia_research/2011-12/
Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-43.xml
Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=3D=3D=3D=3D=3D=3D=3D
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--tjPLlWMbuK6K8Lsea2wsBj6RGHsa7sl9M
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJUnarUAAoJEHUQoJc5cxF0aKIQAKkOsd318rGIJeXw9sq/p7YV
tTppLvb1CQ1rr0RZ3udfJ79zbYFwd1rWLYqqhV+lDfBmi9gnE3lvYHliqNOmyrhz
cMG8yNwgm8/nGMw/gpUA409h3zE8ffV6Z+6gzkGtGuRjMqaCwfrRqbd3hXSZ2DB3
iAr/w4zUkIcS1saZB8FujLsjRH4RqRqArG4s9skGTiWZJUSVTCmlXho5pj9m1Zg2
+13f/o/NZNIXjrhYFa+oH1KkjNvBQC1jsn3GxeEhoYpyvWZRMWb70d2SqgeHxNe7
BZ26sHMTeT4scmZeVZkP2w9xT8WmGZTCgmQMSTPuDFcAScguDuaRbQGJ/HasDNy+
YZEL/hGqp2UjuW4svK0MEAG0I6Dd9sh29rb4pZOc9bmaacEev5E8hcEbhemkWKWs
gJZC+WUxgJXfJFN/QErJwL5yMXGjU6S/oZS5X4X/nNzzpmLPhbO77Qo8nIBhcPHh
HboGU1r1fncsBUWmP+xtp7RaQHfxUOZJHoZZzcMPBe8xhiBiCns/uiSa19hjKzvO
co0E4F354B/4SOSsdSIfoz1XzCFDs/mSwtXdQkCgnmhGDdNtZTeay9+s6xJmcdw9
HHqFD8l1tnAehO4F4k1/BpFVmdmeQn5MTMnJIYCrXyDjoKZ1vWelrPMaSEGPENgy
wnv8Z93neKmvGwDBBI9c
=ORle
-----END PGP SIGNATURE-----
--tjPLlWMbuK6K8Lsea2wsBj6RGHsa7sl9M--